Bug 278573

Summary:

selinux_file_mmap always enforce mapping the 0 page

Product:

Gentoo Security

Reporter:

Brayan Arraes (YacK) <brayan>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

normal

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

Whiteboard:

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
patch	none

Description Brayan Arraes (YacK) 2009-07-21 14:50:24 UTC

Currently SELinux enforcement of controls on the ability to map the 0 page
is determined by the mmap_min_addr tunable.  This patch causes SELinux to
ignore the tunable and to always (but ONLY) protect the 0 page.

The tunable will now only control the need for CAP_SYS_RAWIO and SELinux
permissions will always protect the 0 page based on it's mmap_zero
permission.

This allows users who need to disable the mmap_min_addr controls (usual reason
being they run WINE as a non-root user) to do so and still have SELinux
controls preventing confined domains (like a web server) from being able to
map the 0 page.

Note: the additional SELinux restriction will now ONLY protect the 0 page.
CAP_SYS_RAWIO will protect anything between 0 and mmap_min_addr, but SELinux
will only protect between 0 and PAGE_SIZE.

Reproducible: Didn't try

Comment 1 Brayan Arraes (YacK) 2009-07-21 14:58:31 UTC

Created attachment 198709 [details, diff]
patch

patch found in the lkm

Comment 2 Chris Richards 2011-02-01 02:13:19 UTC

This bug appears to be resolved in the kernel as of 2.6.31 using the CONFIG_LSM_MMAP_MIN_ADDR parameter.  Can we close this bug?